nanog mailing list archives
Re: The state-level attack on the SSL CA security model
From: Joakim Aronius <joakim () aronius se>
Date: Thu, 24 Mar 2011 11:19:47 +0100
* Dobbins, Roland (rdobbins () arbor net) wrote:
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less.An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation.
The fix here is to delete the compromised UID and revoke the certs, thats done immediately, then inform the public, no reason to wait after that. IF the speculations about a specific nation is true then there is a risk that people there run real (like physical) risks by using e.g. yahoo the last few days. They would have appreciated being informed.
Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative.
Why? Surely the value of stolen certs are higher if the public do not know that they exist. /Joakim
Current thread:
- The state-level attack on the SSL CA security model Martin Millnert (Mar 23)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 23)
- Re: The state-level attack on the SSL CA security model Joakim Aronius (Mar 24)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 24)
- Re: The state-level attack on the SSL CA security model Florian Weimer (Mar 24)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 24)
- Re: The state-level attack on the SSL CA security model Franck Martin (Mar 24)
- Re: The state-level attack on the SSL CA security model George Herbert (Mar 24)
- Re: The state-level attack on the SSL CA security model Joakim Aronius (Mar 25)
- Re: The state-level attack on the SSL CA security model Owen DeLong (Mar 25)
- Re: The state-level attack on the SSL CA security model Joakim Aronius (Mar 24)
- Re: The state-level attack on the SSL CA security model Florian Weimer (Mar 25)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 25)
- Re: The state-level attack on the SSL CA security model Crist Clark (Mar 28)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 23)